Creating OUs to Hide Objects

Even if a user does not have the right to read the attributes of an object, that user can still see that the object exists by enumerating the contents of that object's parent container. The easiest and most efficient way to hide an object or set of objects is to create an OU for those objects and limit the set of users who have the List Contents right for that OU.

To create an OU to hide objects

1. Create the OU where you will hide objects.
2. Click the Security tab on the property sheet on the OU.
3. Remove all existing permissions from the OU.
4. In the Advanced dialog box, clear the Inherit permissions from parent check box.
5. Identify the groups that you want to have full control on the OU. Using the Security tab on the property sheet, grant those groups full control.
6. Identify the groups that should have generic read access on the OU and its contents. Using the Security tab on the property sheet, grant those groups read access.
7. Identify any other groups that might need specific access, such as the right to create or delete a particular class of objects, on the OU. Using the Security tab on the property sheet, grant those groups the specific access.
8. Move the objects you want to hide into the OU.

Only users who can modify the ACL on an OU will be able to hide objects in this manner.

© 1985-2000 Microsoft Corporation. All rights reserved.